A practical guide to GDPR for teams that don't have a DPO on staff. Lawful bases, data subject rights, DPIAs, records of processing and breach notification — without the legal jargon.
GDPR in one paragraph
The General Data Protection Regulation (EU 2016/679, and the UK GDPR + Data Protection Act 2018 mirror it) governs how organisations collect, use, store and share personal data of people in the EU and UK. It applies whether you have an office there or not — what matters is whether you process the data of people there.
Penalties are real: up to €20 million or 4% of global annual turnover, whichever is higher. But most enforcement starts with a complaint or a breach — and most fines reward organisations that can show they tried to do the right thing.
The seven principles (Article 5)
Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Integrity and confidentiality (security)
Accountability
The implementation checklist
Step 1
Map your data
You can't comply with what you don't know you have. Catalogue every personal-data flow: source, purpose, lawful basis, recipients, retention, transfer mechanism. This becomes your Record of Processing Activities (Article 30).
Step 2
Pick a lawful basis for each purpose
Consent, contract, legal obligation, vital interests, public task, legitimate interests. Document the choice — supervisory authorities ask for this directly.
Articles 15–22 — access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making. One month to respond. Build the mechanism before the first request arrives.
Step 5
Drill the breach process
72 hours is short. Run a tabletop exercise: who detects, who decides, who notifies, who drafts the supervisory-authority report, who talks to data subjects. Keep the evidence.
GDPR as part of your ISMS
GDPR isn't an island. Most of its security requirements (Article 32) are covered by ISO 27001 Annex A controls — run them together and you cut the documentation burden in half.
ISO-STANDARD.app ships a ready-to-adopt GDPR workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.
Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.
Frequently asked questions
Does GDPR apply to my business if we're not in the EU?
Yes, if you offer goods or services to people in the EU/UK, or monitor their behaviour. Article 3 makes GDPR explicitly extraterritorial — a US SaaS with EU users is in scope.
What are the six lawful bases for processing?
Consent, contract, legal obligation, vital interests, public task, and legitimate interests. You must identify one before processing starts, and document it in your Record of Processing Activities (Article 30).
When is a DPIA required?
When processing is likely to result in high risk to individuals — typically large-scale profiling, systematic monitoring of public areas, special-category data, or new technologies like AI scoring. Article 35 and your supervisory authority's published list of triggers.
How fast must we report a breach?
To the supervisory authority within 72 hours of becoming aware (Article 33). To affected data subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms (Article 34).